JP6676508B2 - Security diagnosis device and security diagnosis method - Google Patents

Description

  The present invention relates to a security diagnosis device in a power generation / power storage plant.

  JP-A-2015-162140 (Patent Document 1) discloses a technique for detecting the occurrence of an abnormality or an accident based on measurement data from a plant when an abnormal transient event or an accident occurs in the plant. There is technology.

  This publication describes that "it is distinguished whether the cause of the signal change is a change in plant characteristics or a change in control logic".

JP-A-2015-162140

The remote plant control server sends out a plant operation signal and controls the plant. In Patent Literature 1, if an abnormal operation signal is transmitted due to, for example, infection of the remote plant control server with malware, the output becomes abnormal, and the abnormality of the remote plant control server can be detected.
However, even if the value of the operation signal to be transmitted to the plant is in a normal operation range, if the value of the operation signal suddenly changes, an abnormality may be caused. For example, the remote plant control server repeatedly changes the rotation speed of the turbine of the plant between the minimum value and the maximum value at once, and the turbine breaks down. When the remote plant control server is infected with malware or the like and transmits an abrupt operation signal value, there is a problem that it is difficult to notice the abnormal operation of the remote plant control server until the plant becomes abnormal.

In order to solve the above problems, a security diagnosis device according to the present invention includes an operation signal classification unit that classifies operation signals transmitted by a remote plant control server into categories, a database that stores past diagnosis results, and a database that is measured by a plant. Measurement signal classifying means for classifying the measured signals into categories, and the operation signal of the remote plant control server is abnormal based on the classification result of the operation signal classification means, the classification result of the measurement signal classification means, and the past diagnosis result. Security diagnosis means for diagnosing the situation.

  Even if the operation signal of the remote plant control server is a signal in the normal range, it is possible to detect that the plant is operating abnormally.

Block diagram illustrating security diagnostic device 100 Operation flowchart of security diagnostic apparatus 100 Diagram for explaining the configuration of the data decomposition function of the classification unit FIG. 2 is a block diagram showing a configuration of an F0 layer 621. FIG. 2 is a block diagram showing a configuration of an F1 layer 622. Operation flowchart of security diagnosis means 170 Diagram for explaining the mode of data stored in the operation signal classification result database Diagram explaining the state of data stored in the diagnosis result database The figure which shows the screen which displays the result of having classified the judgment result in the flowchart of FIG. 4, an operation signal, an operation signal, and a measurement signal into a category. The figure explaining the structure when the plant 200 to be operated is a gas turbine plant The figure explaining the structure when the plant 200 to be operated is a storage battery plant

  A security diagnosis device according to an embodiment of the present invention will be described below with reference to the drawings.

  FIG. 1 is a block diagram illustrating a security diagnosis device 100 according to a first embodiment of the present invention. The remote plant control server 310 and the plant 200 are monitored using the security diagnosis device 100.

  The plant 200 has an on-site plant control device 210 and a main plant 220. Various measuring devices are installed in the main plant, and measurement signals measured by these measuring devices are transmitted to the on-site plant control device 210. There is a remote plant control server 310 for controlling the plant 200 from a remote location. The remote plant control server 310 transmits the operation signal 1 to the on-site plant control device 210 in the plant 200. The on-site plant control device 210 calculates and transmits an operation signal to the plant main unit 220 to control the plant main unit 220 to a desired operation state based on the operation signal 1 transmitted from the remote plant control server 310.

  The plant measurement signal 19 received by the on-site plant control device 210 and the signal 3 including the operation signal 17 calculated by the on-site plant control device 210 are stored in the plant data recording device 320. The signal 3 may include an arbitrary signal calculated by the on-site plant control device 210.

  The security diagnosis device 100 includes an operation signal classification unit 151, a measurement signal classification unit 152, and a security diagnosis unit 170 as arithmetic units. The security diagnosis device 100 includes a measurement signal database 130, an operation signal database 140, an operation signal classification result database 161, a measurement signal classification result database 162, and a diagnosis result database 180 as databases. In FIG. 1, the database is abbreviated as DB.

  In addition, the security diagnosis device 100 includes an external input interface 110 and an external output interface 120 as external interfaces.

  Then, the measurement signal 4 obtained by measuring various upper state quantities that are the operation states of the plant via the external input interface 110, the operation signal 1 from the remote plant control server, the keyboard 420 provided in the operation management room 400, An external input signal 5 operated by operating the external input device 410 including the mouse 430 is taken into the security diagnosis device 100.

The image display information 17 is output to the image display device 440 provided in the operation management room 200 via the external output interface 120.
The measurement signal 6 captured by the security diagnosis device 100 is stored in the measurement signal database 130. The operation signal 7 taken into the security diagnosis device 100 is stored in the operation signal database 140. Although many of the measurement signal 4 and the operation signal 1 are analog quantities, the measurement signal 6 and the operation signal 7 captured in the security diagnosis device 100 are time-sequential digital quantities, so that the symbols are distinguished.

  The security diagnosis device 100 has two processing modes: a model construction processing mode and a diagnosis processing mode.

  In the model construction mode, the measurement signal and the operation signal in a normal state are classified into several groups using a clustering technique, and a diagnosis model is constructed.

  In the diagnosis processing, the measurement signal and the operation signal at the time of diagnosis are classified into groups using a clustering technique, and security diagnosis is performed.

  The operation in the model construction processing mode will be described first.

  In the model construction processing mode, a monitoring model used for detecting a state change is constructed. First, the measurement signal classifying unit 152 extracts the measurement signals 8 for a predetermined period from the measurement signal database 130, and classifies the measurement signals 8 by a clustering technique. The measurement signal classification result information 11 as the classification result is transmitted to the measurement signal classification result database 162 and stored.

  Next, the operation signal classifying unit 151 extracts the operation signals 9 for a predetermined period from the operation signal database 140 and classifies them by the clustering technique. The operation signal classification result information 10 as the classification result is transmitted to the operation signal classification result database 161 and stored.

  In addition, not only the measurement signal but also an arbitrary signal calculated by the on-site plant control device 210 is extracted, and the measurement signal classification means 152 classifies the measurement signal and the arbitrary signal calculated by the on-site plant control device 210 by a clustering technique. May be. Further, the measurement signal and the operation signal may be respectively divided into arbitrary groups, and a diagnostic model may be constructed for each group.

  As described above, in the security diagnosis device 100 according to the present embodiment, the measurement signal and the operation signal are individually classified.

  Next, the operation in the diagnostic processing mode will be described.

First, the measurement signal classification processing unit 152 classifies the measurement signal 8 by a clustering technique while referring to the measurement signal 8 and the diagnostic model constructed in the model construction processing mode, and transmits the operation signal classification result information 12 to the security diagnosis unit 170.
Further, the operation signal classification processing unit 151 classifies the operation signal 9 by a clustering technique while referring to the operation signal 9 and the diagnostic model constructed in the model construction processing mode, and transmits the measurement signal classification result information 13 to the security diagnosis unit 170. .

  Then, the security diagnosis unit 170 diagnoses the security of the remote plant control server 310 from the operation signal classification result information 12 and the measurement signal classification result information 13 based on the past diagnosis result information 20. The diagnostic result information 16 is output to the external output interface 120.

  In the security diagnosis device 100 according to the present embodiment, the operation signal classification unit 151, the measurement signal classification unit 152, the security diagnosis unit 170, the operation signal database 140, the measurement signal database 130, the operation signal classification result database 161, the measurement signal classification Although the result database 162 and the diagnosis result database 180 are provided inside the security diagnosis device 100, some of these devices are arranged outside the security diagnosis device 100 so that only data is communicated between the devices. Is also good.

  Further, the operation signal database 140, the measurement signal database 130, the operation signal classification result database 161, the measurement signal classification result database 162, and the database information 1801 and 1802 stored in the diagnosis result database 180 installed in the security diagnosis device 100 are as follows. Data communication can be performed with the operation management room 900, and information in the database can be displayed on the image display device 940. The information can be modified by an external input signal 5 generated by operating an external input device 410 including a keyboard 420 and a mouse 430.

  FIG. 2 is an operation flowchart of the security diagnosis device 100.

  Step R10: The signal stored in the plant data recording device is taken into the diagnostic device 100 via the external input interface 120, and the measurement signal 6 is stored in the measurement signal database 130. Further, the transmission signal of the remote plant control server is taken into the diagnostic device 100 via the external input interface 120, and the operation signal 7 is stored in the measurement signal database 140.

Step R20: The measurement signal classifying means 152 is operated to extract the predetermined measurement signal 8 from the measurement signal database 130, and classify it by the clustering technique. The measurement signal classification result information 11 as the classification result is transmitted to the measurement signal classification result database 162 and stored.
The measurement signal classification result information 15 as the classification result is also transmitted to the security diagnosis unit 170. The detailed operation content of the measurement signal classification means 152 will be described later with reference to FIG.

Step R30: The operation signal classifying unit 151 is operated to extract a predetermined operation signal 7 from the operation signal database 140, and classify it by the clustering technique. The operation signal classification result information 10 as the classification result is transmitted to the operation signal classification result database 161 and stored.
The operation signal classification result information 12 as the classification result is also transmitted to the security diagnosis unit 170. The detailed operation contents of the measurement signal classification means 151 will be described later with reference to FIG.

  Step R40: Determine an operation mode. In the case of the model construction mode, the process ends. In the case of the diagnostic processing mode, the process proceeds to step R50.

  Step R50: The security diagnosis unit 170 is operated to diagnose the state of the remote plant control server, and outputs the diagnosis result information 16 to the external output interface 120.

  The diagnostic result information 21 is also transmitted to the diagnostic result database 180 and stored. The operation of the security diagnosis unit 170 will be described later with reference to FIG.

Step R60: Perform the end determination, and if the end determination is satisfied, end the diagnostic processing mode. If the termination condition is not satisfied, the process returns to step R10. Here, the termination condition is a condition determined in advance by the user. For example, the process ends when an end signal is transmitted from the keyboard 41 or the mouse 42 to the security diagnosis unit 170.
FIG. 3 is a diagram illustrating the operation signal classification unit 151 and the measurement signal classification unit 152.

  In the present embodiment, a case will be described in which adaptive resonance theory (ART) is applied as a technique for classifying signals. Note that other clustering methods such as vector quantization and a support vector machine can also be used.

  As shown in FIG. 3A, the data classification function includes a data preprocessing device 610 and an ART module 620. The data preprocessor 610 converts the operation data into the input data of the ART module 620.

  Hereinafter, those means by the data preprocessing device 610 and the ART module 620 will be described.

First, the data preprocessing device 610 normalizes data for each operation signal and each measurement item. Data including the data Nxi (n) obtained by normalizing the operation signal and the measurement signal and the complement CNxi (n) (= 1−Nxi (n)) of the normalized data are set as input data I _i (n). The input data I _i (n) is input to the ART module 620.

  In the ART module 620, the measurement signal 8 or the operation signal 9 as input data is classified into a plurality of categories.

  The ART module 620 includes an F0 layer 621, an F1 layer 622, an F2 layer 623, a memory 624, and a selection subsystem 625, which are interconnected. The F1 layer 622 and the F2 layer 623 are connected via a weight coefficient. The weight coefficient represents a prototype of a category into which the input data is classified. Here, the prototype represents a representative value of the category.

  Next, the algorithm of the ART module 620 will be described.

  An outline of an algorithm when input data is input to the ART module 620 is as the following processing 1 to processing 5.

  Process 1: The input vector is normalized by the F0 layer 621 to remove noise.

  Process 2: Select a suitable category candidate by comparing the input data input to the F1 layer 622 with the weighting coefficient.

  Process 3: The validity of the category selected by the selection subsystem 625 is evaluated based on the ratio with the parameter ρ. If it is determined that the input data is appropriate, the input data is classified into the category, and the process proceeds to processing 4. On the other hand, if it is not determined that the category is appropriate, the category is reset, and a suitable category candidate is selected from other categories (the process 2 is repeated). When the value of the parameter ρ is increased, the classification of the category becomes finer, and when the value of ρ is reduced, the classification becomes coarser. This parameter ρ is called a vigilance parameter.

  Process 4: When all the existing categories are reset in process 2, it is determined that the input data belongs to the new category, and a new weight coefficient representing a prototype of the new category is generated.

Process 5: When the input data is classified into the category J, the weight coefficient WJ (new) corresponding to the category J uses the past weight coefficient WJ (old) and the input data p (or data derived from the input data). Is updated by the following equation (1).
WJ (new) = Kw · p + (1−Kw) · WJ (old) Expression (1)
Here, Kw is a learning rate parameter (0 <Kw <1), and is a value that determines the degree to which the input vector is reflected in the new weight coefficient.

  It should be noted that the arithmetic expressions of Expression (1) and Expressions (2) to (12) described later are incorporated in the ART module 620.

  The feature of the data classification algorithm of the ART module 620 lies in the processing 4 described above.

  In process 4, when input data different from the pattern at the time of learning is input, a new pattern can be recorded without changing the recorded pattern. For this reason, it is possible to record a new pattern while recording a pattern learned in the past.

  As described above, when the operation data given in advance as the input data is given, the ART module 620 learns the given pattern. Therefore, when new input data is input to the learned ART module 620, it is possible to determine which pattern in the past is close by the above algorithm. If the pattern has not been experienced in the past, it is classified into a new category.

FIG. 3B is a block diagram illustrating the configuration of the F0 layer 621. In F0 layer 621, the input data _{I i} again normalized at each time, to create a normalized input vector _{u i} is input to the F1 layer 622 and selection subsystem 625.

First, w _i ⁰ is calculated from input data I _{i according} to equation (2). Here, a is a constant.

Next, x _i ⁰ obtained by normalizing w _i ⁰ is calculated using Expression (3). Here, || · || is a symbol representing a norm.

Then, using equation (4), calculates the _v ^{i 0} obtained by removing noise from _{x i.} Here, θ is a constant for removing noise. By the calculation of Expression (4), the minute value becomes 0, so that noise of the input data is removed.

Finally, a normalized input vector u _i ⁰ is obtained using Expression (5). u _i ⁰ is an input of the F1 layer.

FIG. 3C is a block diagram illustrating a configuration of the F1 layer 622. The F1 layer 622 holds u _i ⁰ obtained by the equation (5) as short-term memory, and calculates p _i to be input to the F2 layer 722. Formulas (6) to (12) collectively show the calculation formulas of the F2 layer. Here, a and b are constants, f (·) is a function shown in equation (4), and T _j is a fitness calculated by the F2 layer 623.

ただし、

However,

  FIG. 4 is a flowchart of the security diagnosis unit 170, and is a diagram for explaining R50 in FIG. 2 in detail.

  Step S10: The security diagnosis unit 170 compares the operation signal classification result 12 with the previous operation signal classification result information 13 stored in the operation signal classification database 161 to check whether or not it has changed from the previous category. If the category has not changed, the process proceeds to step S20, and if the category has changed, the process proceeds to step S30.

  Step S20: If there is no category change, the security diagnosis unit 170 determines that the operation is normal and ends the processing.

  Step S30: The security diagnosis unit 170 reads out the past diagnosis result information 20 from the diagnosis result database 180 and calculates the number of category changes F. The calculated category change count F is recorded in the diagnosis result database 180, and the process proceeds to step S40.

  Step S40: The security diagnosis unit 170 records the time T at which the category was changed in the diagnosis result database 180, and proceeds to step S50.

  Step S50: The security diagnosis unit 170 checks whether the product of the number of category changes calculated in step S30 and the distance D between categories stored in the operation signal classification result database 161 is equal to or greater than a specified value. The inter-category distance D is obtained by, for example, an expression shown in Expression (13). Ai and Bi are signal values before and after the category change.

  If the check result is equal to or larger than the specified value α, that is, if Expression (14) is satisfied, the process proceeds to step S60 to perform an abnormal operation determination process, and if less than the specified value, the process proceeds to step S70.

  Step S60: The security diagnosis unit 170 determines that the remote plant control device 310 is in an abnormal state and the plant 200 may be broken, and displays a warning on the image display device 440 via the external interface 120. Then, the process ends.

  Step S70: The security diagnosis unit 170 reads the previous category change time from the diagnosis result database 180, calculates a difference time S from the current category change time, and proceeds to step S80.

  Step S80: The security diagnosis unit 170 determines that the product P of the reciprocal of the difference time S calculated in step S70 and the distance between categories stored in the operation signal classification result database 161 is equal to or larger than the specified value β, that is, the equation (15) If it satisfies, the process proceeds to step S90 to perform an abnormal operation determination process.

  Step S90: The security diagnosis unit 170 determines that the plant 200 is possibly operating abnormally, displays a warning on the image display device 440 via the external interface 120, and ends the processing.

  Step S100: The security diagnosis unit 170 determines that the operation is normal, and ends the processing.

  In the security diagnosis means of the present invention showing a series of processing flows shown in FIG. 4, the operation signal sharply increases even within a normal operation range based on the number of category changes and the inter-category distance information stored in the operation signal classification result database 161 in step S50. Thus, an effect that a significant change can be detected as an abnormality is obtained.

  Also, in step S80, from the difference time and the inter-category distance information stored in the operation signal classification result database 161, an effect that a short-time repetition of signal change of the operation signal can be detected as abnormal even within a normal operation range.

  FIG. 5 is a diagram for explaining the state of data stored in the operation signal classification result database 161. The operation signal classification result database 161 stores the relationship between the time and the category number at the time of operation signal classification, and the distance coefficient before and after the category change.

  FIG. 6 is a diagram for explaining the state of the data stored in the diagnosis result database 180. The diagnosis result database 180 stores the number of times the category has been changed and the time at which the category change occurred.

  Using the operation signal classification result information 13 stored in the operation signal classification result database 161 and the diagnosis result information 20 stored in the diagnosis result database 180, the diagnosis unit 180 diagnoses the state of the remote plant control server 310. .

  FIG. 7 is a diagram illustrating an example of a screen displayed on the image display device 440. The image display device displays an operation signal value, a result of categorizing the operation signal and the measurement signal into categories, and a diagnosis result. On this screen, the operation results of the operation signal classification unit 151 and the security diagnosis unit 170 can be confirmed. According to this screen, it is displayed that malware has been infected due to a change in the operation signal.

  In addition to the screens described above, the image display device 440 of the present embodiment displays a trend graph of operation signals and measurement signals and information of various databases, so that an operator can grasp the state of the plant 200 and the remote plant control server. .

  FIG. 8 is a diagram illustrating a configuration when the plant 200 to be diagnosed is a power plant using a gas turbine. The plant 200 includes a gas turbine generator 220 and an on-site plant control device 210. The gas turbine generator 220 includes a generator 221, a compressor 222, a combustor 223, and a turbine 224.

At the time of power generation, the air sucked by the compressor 222 is compressed into compressed air, and the compressed air is sent to the combustor 223 to be mixed with fuel and burned. The turbine 224 is rotated using the high-pressure gas generated by the combustion, and power is generated by the power generator 221.
The on-site plant control device 210 controls the output of the gas turbine generator 220 according to the power demand. Further, the on-site plant control device 210 uses the operation data 18 measured by a sensor (not shown) installed in the gas turbine generator 220 as input data. The operation data 18 is a state quantity such as an intake air temperature, a fuel input amount, a turbine gas temperature, a turbine speed, a generator power generation amount, and turbine vibration, and is measured at each sampling cycle. It also measures weather information such as atmospheric temperature.

The on-site plant control device 210 uses these operation data 19 to calculate the control signal 18 for controlling the gas turbine generator 220. Further, the on-site plant control device 210 performs a process of generating an alarm when the value of the operation data 19 deviates from a preset range. The alarm signal is processed as a digital signal of 1 when the operation data 19 deviates from a preset range, and as a digital signal of 0 when the operation data 19 is within the preset range. When the alarm signal is 1, the operator is notified of the contents of the alarm by sound or screen display.
The on-site plant control device 210 transmits the measured operation data 19, the control signal 18 calculated by the on-site plant control device 210, and the measurement signal including the alarm signal to the plant data recording device 320.

In the operation signal DB 140 of the present embodiment, at least a fuel input amount for controlling the output of the gas turbine generator 110 and a command value of the turbine speed are stored as operation signals.
In the measurement signal DB 130 of this embodiment, at least intake air temperature, fuel injection amount, turbine exhaust gas temperature, turbine speed, generator power generation amount, turbine shaft vibration, and other state quantities are stored as measurement signals.

  By using the security diagnosis device of the present invention, even when the value of the operation signal transmitted to the power plant is within the normal operation range, it is possible to detect an abnormality in which the value of the operation signal changes rapidly. As a result, it is possible to obtain an effect that it is possible to avoid a failure of the turbine caused by repeatedly changing the rotation speed of the turbine between the minimum value and the maximum value at a stretch.

  FIG. 9 is a diagram showing an embodiment when the plant 200 is a power storage plant. FIG. 9 is a diagram illustrating a configuration when the plant 200 to be diagnosed is a power storage system. The plant 200 includes a power storage system 220 and a site plant control device 210. The power storage system 220 includes a storage battery 225, a PCS (Power Conditioning System) 226 that converts DC and AC, a transformer 227, and a circuit breaker 228.

  At the time of discharging, a DC current is passed from the storage battery 225 to the PCS 226, the DC current is converted to an AC current in the PCS 226, boosted to a voltage of the power system by a transformer, connected to the power system by a circuit breaker, and supplied with power. I do. Also, at the time of charging, the power received from the power system is stepped down to the rated voltage of PCS 226 by transformer 227, converted from AC to DC by PCS 226, passed to storage battery 225, and stored by storage battery 225.

  In the operation signal DB 140 according to the present embodiment, at least power for charging and discharging the storage battery 225, an operation control signal of the PCS 226, and the like are stored as operation signals.

  In the measurement signal DB 130 of the present embodiment, at least the state quantities of the storage battery 225 such as SOC (State Of Charge), charging power, discharging power, voltage, temperature, charging power amount, discharging power amount, and operating state of the PCS 226 are measured signal. Will be saved as

  By using the security diagnosis device of the present invention, even if the value of the operation signal transmitted to the power storage plant is within a normal operation range, an effect of detecting an abnormality in which the value of the operation signal changes rapidly can be obtained. As a result, it is possible to avoid the occurrence of frequency fluctuations in the power grid connected to the power grid by repeatedly changing the charging power and the discharging power between the minimum value and the maximum value at once. Can be

  Note that the present invention is not limited to the above-described embodiment, and includes various modifications. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described above.

  In addition, each of the above-described configurations, functions, processing units, processing means, and the like may be partially or entirely realized by hardware, for example, by designing an integrated circuit. In addition, the above-described configurations, functions, and the like may be realized by software by a processor interpreting and executing a program that realizes each function. Information such as a program, a table, and a file for realizing each function can be stored in a memory, a hard disk, a recording device such as an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.

In addition, control lines and information lines are shown as necessary for the description, and do not necessarily indicate all control lines and information lines on a product. In fact, it can be considered that almost all components are connected to each other.
Further, the present invention is applicable to various plants such as a thermal power plant, a nuclear power plant, and a power storage plant as a security diagnosis device.

Reference Signs List 100: Security diagnostic device, 110: External input interface, 120: External output interface, 130: Measurement signal database, 140: Operation signal database, 151: Operation signal classification means, 152: Measurement signal classification means, 161: Operation signal classification result Database, 162: measurement signal classification result database, 170: security diagnosis means, 180: diagnosis result database, 1 ... operation signal, 3 ... measurement signal, 4 ... measurement signal, 5 ... external input signal, 6 ... measurement signal, 7 ... Operation signal, 8 ... measurement signal, 9 ... operation signal, 10 ... operation signal classification result information, 11 ... measurement signal classification result information, 12 ... operation signal classification result information, 13 ... operation signal classification result information, 14 ... measurement signal classification Result information, 15: Measurement signal classification result information, 16: Diagnosis result information, 17: Image display information , 18 ... operation signal, 19 ... measurement signal, 20 ... diagnosis result information, 21 ... diagnosis result information

Claims (10)

Operation signal classifying means for classifying operation signals transmitted by the remote plant control server into categories, a database for storing past diagnostic results, measurement signal classifying means for classifying measurement signals measured in the plant into categories, and the operation Security diagnosis means for diagnosing that the operation signal of the remote plant control server is abnormal based on the classification result of the signal classification means and the classification result of the measurement signal classification means and the past diagnosis result, Security diagnostic device. The security diagnostic device according to claim 1,
The security diagnosis device, wherein the security diagnosis unit compares the classification result of the first period with the classification result of the second period. The security diagnostic device according to claim 2,
The security diagnosis unit determines that the status of the remote plant control server is normal when the relationship between the categories of the operation signal is the same in the first period and the second period,
The relationship between the categories of the operation signal is different between the first period and the second period, and when the category change is equal to or more than a specified value or the category change time is shorter than the specified value, the state of the remote plant control server is abnormal. A security diagnosis device characterized by making a judgment. The security diagnostic device according to claim 1,
An operation signal classification database storing a classification result of the operation signal classification unit,
The security diagnosis apparatus according to claim 1, wherein the operation signal classifying unit sends a result of classification into operation signal categories to the operation signal classification database. The security diagnosis device according to claim 1, wherein
The remote plant control server stores at least a fuel input amount for controlling the output of the gas turbine generator, and a command value of the turbine speed,
The signal to be displayed on the screen of the image display device connected via the external output interface is the result of detecting an abnormality in which the value of the operation signal changes even if the value of the operation signal transmitted to the power plant is within the normal operation range. Yes,
A security diagnosis device, characterized by displaying on a screen information that can avoid a failure of a turbine by repeatedly changing a rotation speed of a turbine between a minimum value and a maximum value. The security diagnosis device according to claim 1, wherein
The remote plant control server stores at least a charge / discharge command value for controlling charge power and discharge power of the storage battery system,
The signal to be displayed on the screen of the image display device connected via the external output interface is a result of detecting an abnormality in which the value of the operation signal changes even if the value of the operation signal transmitted to the power storage plant is within a normal operation range. Yes,
A security diagnosis device characterized by displaying information on a screen which can prevent occurrence of frequency fluctuation of a power system by repeatedly changing a charge / discharge power between a minimum value and a maximum value.   Step of classifying the operation signal transmitted by the remote plant control server into a category, step of classifying the measurement signal measured in the plant into a category, and the classification result of the operation signal and the classification result and the past diagnosis result. A security diagnosis step of diagnosing that an operation signal of the remote plant control server is abnormal based on the security diagnosis method. The security diagnosis method according to claim 7,
The security diagnosis method is characterized in that the security diagnosis step is a step of comparing the classification result of the first period and the classification result of the second period. The security diagnosis method according to claim 8,
The security diagnosis step, when the relationship of the category of the operation signal is the same in the first period and the second period, determines that the state of the remote plant control server is normal,
The relationship between the categories of the operation signal is different between the first period and the second period, and when the category change is equal to or more than a specified value or the category change time is shorter than the specified value, the state of the remote plant control server is abnormal. A security diagnosis method characterized by making a judgment. The security diagnosis method according to claim 7 ,
A security diagnosis method characterized by storing a result of classifying the operation signal into a category in the step of classifying the operation signal into a category .

Images